From: Greg Kroah-Hartman Date: Mon, 3 Sep 2018 13:32:34 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.121~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ada60b10b521adc69a3035308cb442943e05b73c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: cdrom-fix-info-leak-oob-read-in-cdrom_ioctl_drive_status.patch iscsi-target-fix-session-creation-failure-handling.patch kprobes-make-list-and-blacklist-root-user-read-only.patch mips-correct-the-64-bit-dsp-accumulator-register-size.patch mips-lib-provide-mips64r6-__multi3-for-gcc-7.patch s390-fix-br_r1_trampoline-for-machines-without-exrl.patch s390-pci-fix-out-of-bounds-access-during-irq-setup.patch s390-qdio-reset-old-sbal_state-flags.patch scsi-core-avoid-that-scsi-device-removal-through-sysfs-triggers-a-deadlock.patch scsi-sysfs-introduce-sysfs_-un-break_active_protection.patch --- diff --git a/queue-4.4/cdrom-fix-info-leak-oob-read-in-cdrom_ioctl_drive_status.patch b/queue-4.4/cdrom-fix-info-leak-oob-read-in-cdrom_ioctl_drive_status.patch new file mode 100644 index 00000000000..a0026acc2c9 --- /dev/null +++ b/queue-4.4/cdrom-fix-info-leak-oob-read-in-cdrom_ioctl_drive_status.patch @@ -0,0 +1,36 @@ +From 8f3fafc9c2f0ece10832c25f7ffcb07c97a32ad4 Mon Sep 17 00:00:00 2001 +From: Scott Bauer +Date: Thu, 26 Apr 2018 11:51:08 -0600 +Subject: cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status + +From: Scott Bauer + +commit 8f3fafc9c2f0ece10832c25f7ffcb07c97a32ad4 upstream. + +Like d88b6d04: "cdrom: information leak in cdrom_ioctl_media_changed()" + +There is another cast from unsigned long to int which causes +a bounds check to fail with specially crafted input. The value is +then used as an index in the slot array in cdrom_slot_status(). + +Signed-off-by: Scott Bauer +Signed-off-by: Scott Bauer +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cdrom/cdrom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2526,7 +2526,7 @@ static int cdrom_ioctl_drive_status(stru + if (!CDROM_CAN(CDC_SELECT_DISC) || + (arg == CDSL_CURRENT || arg == CDSL_NONE)) + return cdi->ops->drive_status(cdi, CDSL_CURRENT); +- if (((int)arg >= cdi->capacity)) ++ if (arg >= cdi->capacity) + return -EINVAL; + return cdrom_slot_status(cdi, arg); + } diff --git a/queue-4.4/iscsi-target-fix-session-creation-failure-handling.patch b/queue-4.4/iscsi-target-fix-session-creation-failure-handling.patch new file mode 100644 index 00000000000..70664557c37 --- /dev/null +++ b/queue-4.4/iscsi-target-fix-session-creation-failure-handling.patch @@ -0,0 +1,98 @@ +From 26abc916a898d34c5ad159315a2f683def3c5555 Mon Sep 17 00:00:00 2001 +From: Mike Christie +Date: Thu, 26 Jul 2018 12:13:49 -0500 +Subject: iscsi target: fix session creation failure handling + +From: Mike Christie + +commit 26abc916a898d34c5ad159315a2f683def3c5555 upstream. + +The problem is that iscsi_login_zero_tsih_s1 sets conn->sess early in +iscsi_login_set_conn_values. If the function fails later like when we +alloc the idr it does kfree(sess) and leaves the conn->sess pointer set. +iscsi_login_zero_tsih_s1 then returns -Exyz and we then call +iscsi_target_login_sess_out and access the freed memory. + +This patch has iscsi_login_zero_tsih_s1 either completely setup the +session or completely tear it down, so later in +iscsi_target_login_sess_out we can just check for it being set to the +connection. + +Cc: stable@vger.kernel.org +Fixes: 0957627a9960 ("iscsi-target: Fix sess allocation leak in...") +Signed-off-by: Mike Christie +Acked-by: Martin K. Petersen +Signed-off-by: Matthew Wilcox +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_login.c | 35 ++++++++++++++++++------------ + 1 file changed, 21 insertions(+), 14 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_login.c ++++ b/drivers/target/iscsi/iscsi_target_login.c +@@ -323,8 +323,7 @@ static int iscsi_login_zero_tsih_s1( + pr_err("idr_alloc() for sess_idr failed\n"); + iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR, + ISCSI_LOGIN_STATUS_NO_RESOURCES); +- kfree(sess); +- return -ENOMEM; ++ goto free_sess; + } + + sess->creation_time = get_jiffies_64(); +@@ -340,20 +339,28 @@ static int iscsi_login_zero_tsih_s1( + ISCSI_LOGIN_STATUS_NO_RESOURCES); + pr_err("Unable to allocate memory for" + " struct iscsi_sess_ops.\n"); +- kfree(sess); +- return -ENOMEM; ++ goto remove_idr; + } + + sess->se_sess = transport_init_session(TARGET_PROT_NORMAL); + if (IS_ERR(sess->se_sess)) { + iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_TARGET_ERR, + ISCSI_LOGIN_STATUS_NO_RESOURCES); +- kfree(sess->sess_ops); +- kfree(sess); +- return -ENOMEM; ++ goto free_ops; + } + + return 0; ++ ++free_ops: ++ kfree(sess->sess_ops); ++remove_idr: ++ spin_lock_bh(&sess_idr_lock); ++ idr_remove(&sess_idr, sess->session_index); ++ spin_unlock_bh(&sess_idr_lock); ++free_sess: ++ kfree(sess); ++ conn->sess = NULL; ++ return -ENOMEM; + } + + static int iscsi_login_zero_tsih_s2( +@@ -1142,13 +1149,13 @@ void iscsi_target_login_sess_out(struct + ISCSI_LOGIN_STATUS_INIT_ERR); + if (!zero_tsih || !conn->sess) + goto old_sess_out; +- if (conn->sess->se_sess) +- transport_free_session(conn->sess->se_sess); +- if (conn->sess->session_index != 0) { +- spin_lock_bh(&sess_idr_lock); +- idr_remove(&sess_idr, conn->sess->session_index); +- spin_unlock_bh(&sess_idr_lock); +- } ++ ++ transport_free_session(conn->sess->se_sess); ++ ++ spin_lock_bh(&sess_idr_lock); ++ idr_remove(&sess_idr, conn->sess->session_index); ++ spin_unlock_bh(&sess_idr_lock); ++ + kfree(conn->sess->sess_ops); + kfree(conn->sess); + conn->sess = NULL; diff --git a/queue-4.4/kprobes-make-list-and-blacklist-root-user-read-only.patch b/queue-4.4/kprobes-make-list-and-blacklist-root-user-read-only.patch new file mode 100644 index 00000000000..0f08a4b0626 --- /dev/null +++ b/queue-4.4/kprobes-make-list-and-blacklist-root-user-read-only.patch @@ -0,0 +1,63 @@ +From f2a3ab36077222437b4826fc76111caa14562b7c Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Sat, 28 Apr 2018 21:35:01 +0900 +Subject: kprobes: Make list and blacklist root user read only + +From: Masami Hiramatsu + +commit f2a3ab36077222437b4826fc76111caa14562b7c upstream. + +Since the blacklist and list files on debugfs indicates +a sensitive address information to reader, it should be +restricted to the root user. + +Suggested-by: Thomas Richter +Suggested-by: Ingo Molnar +Signed-off-by: Masami Hiramatsu +Cc: Ananth N Mavinakayanahalli +Cc: Anil S Keshavamurthy +Cc: Arnd Bergmann +Cc: David Howells +Cc: David S . Miller +Cc: Heiko Carstens +Cc: Jon Medhurst +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Tobin C . Harding +Cc: Will Deacon +Cc: acme@kernel.org +Cc: akpm@linux-foundation.org +Cc: brueckner@linux.vnet.ibm.com +Cc: linux-arch@vger.kernel.org +Cc: rostedt@goodmis.org +Cc: schwidefsky@de.ibm.com +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/lkml/152491890171.9916.5183693615601334087.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kprobes.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -2441,7 +2441,7 @@ static int __init debugfs_kprobe_init(vo + if (!dir) + return -ENOMEM; + +- file = debugfs_create_file("list", 0444, dir, NULL, ++ file = debugfs_create_file("list", 0400, dir, NULL, + &debugfs_kprobes_operations); + if (!file) + goto error; +@@ -2451,7 +2451,7 @@ static int __init debugfs_kprobe_init(vo + if (!file) + goto error; + +- file = debugfs_create_file("blacklist", 0444, dir, NULL, ++ file = debugfs_create_file("blacklist", 0400, dir, NULL, + &debugfs_kprobe_blacklist_ops); + if (!file) + goto error; diff --git a/queue-4.4/mips-correct-the-64-bit-dsp-accumulator-register-size.patch b/queue-4.4/mips-correct-the-64-bit-dsp-accumulator-register-size.patch new file mode 100644 index 00000000000..62597837ca4 --- /dev/null +++ b/queue-4.4/mips-correct-the-64-bit-dsp-accumulator-register-size.patch @@ -0,0 +1,71 @@ +From f5958b4cf4fc38ed4583ab83fb7c4cd1ab05f47b Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Tue, 15 May 2018 23:33:26 +0100 +Subject: MIPS: Correct the 64-bit DSP accumulator register size + +From: Maciej W. Rozycki + +commit f5958b4cf4fc38ed4583ab83fb7c4cd1ab05f47b upstream. + +Use the `unsigned long' rather than `__u32' type for DSP accumulator +registers, like with the regular MIPS multiply/divide accumulator and +general-purpose registers, as all are 64-bit in 64-bit implementations +and using a 32-bit data type leads to contents truncation on context +saving. + +Update `arch_ptrace' and `compat_arch_ptrace' accordingly, removing +casts that are similarly not used with multiply/divide accumulator or +general-purpose register accesses. + +Signed-off-by: Maciej W. Rozycki +Signed-off-by: Paul Burton +Fixes: e50c0a8fa60d ("Support the MIPS32 / MIPS64 DSP ASE.") +Patchwork: https://patchwork.linux-mips.org/patch/19329/ +Cc: Alexander Viro +Cc: James Hogan +Cc: Ralf Baechle +Cc: linux-fsdevel@vger.kernel.org +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # 2.6.15+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/processor.h | 2 +- + arch/mips/kernel/ptrace.c | 2 +- + arch/mips/kernel/ptrace32.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/mips/include/asm/processor.h ++++ b/arch/mips/include/asm/processor.h +@@ -131,7 +131,7 @@ struct mips_fpu_struct { + + #define NUM_DSP_REGS 6 + +-typedef __u32 dspreg_t; ++typedef unsigned long dspreg_t; + + struct mips_dsp_state { + dspreg_t dspr[NUM_DSP_REGS]; +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -879,7 +879,7 @@ long arch_ptrace(struct task_struct *chi + goto out; + } + dregs = __get_dsp_regs(child); +- tmp = (unsigned long) (dregs[addr - DSP_BASE]); ++ tmp = dregs[addr - DSP_BASE]; + break; + } + case DSP_CONTROL: +--- a/arch/mips/kernel/ptrace32.c ++++ b/arch/mips/kernel/ptrace32.c +@@ -140,7 +140,7 @@ long compat_arch_ptrace(struct task_stru + goto out; + } + dregs = __get_dsp_regs(child); +- tmp = (unsigned long) (dregs[addr - DSP_BASE]); ++ tmp = dregs[addr - DSP_BASE]; + break; + } + case DSP_CONTROL: diff --git a/queue-4.4/mips-lib-provide-mips64r6-__multi3-for-gcc-7.patch b/queue-4.4/mips-lib-provide-mips64r6-__multi3-for-gcc-7.patch new file mode 100644 index 00000000000..a514e54cfba --- /dev/null +++ b/queue-4.4/mips-lib-provide-mips64r6-__multi3-for-gcc-7.patch @@ -0,0 +1,62 @@ +From 690d9163bf4b8563a2682e619f938e6a0443947f Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Tue, 21 Aug 2018 12:12:59 -0700 +Subject: MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7 + +From: Paul Burton + +commit 690d9163bf4b8563a2682e619f938e6a0443947f upstream. + +Some versions of GCC suboptimally generate calls to the __multi3() +intrinsic for MIPS64r6 builds, resulting in link failures due to the +missing function: + + LD vmlinux.o + MODPOST vmlinux.o + kernel/bpf/verifier.o: In function `kmalloc_array': + include/linux/slab.h:631: undefined reference to `__multi3' + fs/select.o: In function `kmalloc_array': + include/linux/slab.h:631: undefined reference to `__multi3' + ... + +We already have a workaround for this in which we provide the +instrinsic, but we do so selectively for GCC 7 only. Unfortunately the +issue occurs with older GCC versions too - it has been observed with +both GCC 5.4.0 & GCC 6.4.0. + +MIPSr6 support was introduced in GCC 5, so all major GCC versions prior +to GCC 8 are affected and we extend our workaround accordingly to all +MIPS64r6 builds using GCC versions older than GCC 8. + +Signed-off-by: Paul Burton +Reported-by: Vladimir Kondratiev +Fixes: ebabcf17bcd7 ("MIPS: Implement __multi3 for GCC7 MIPS64r6 builds") +Patchwork: https://patchwork.linux-mips.org/patch/20297/ +Cc: James Hogan +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org # 4.15+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/lib/multi3.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/mips/lib/multi3.c ++++ b/arch/mips/lib/multi3.c +@@ -4,12 +4,12 @@ + #include "libgcc.h" + + /* +- * GCC 7 suboptimally generates __multi3 calls for mips64r6, so for that +- * specific case only we'll implement it here. ++ * GCC 7 & older can suboptimally generate __multi3 calls for mips64r6, so for ++ * that specific case only we implement that intrinsic here. + * + * See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82981 + */ +-#if defined(CONFIG_64BIT) && defined(CONFIG_CPU_MIPSR6) && (__GNUC__ == 7) ++#if defined(CONFIG_64BIT) && defined(CONFIG_CPU_MIPSR6) && (__GNUC__ < 8) + + /* multiply 64-bit values, low 64-bits returned */ + static inline long long notrace dmulu(long long a, long long b) diff --git a/queue-4.4/s390-fix-br_r1_trampoline-for-machines-without-exrl.patch b/queue-4.4/s390-fix-br_r1_trampoline-for-machines-without-exrl.patch new file mode 100644 index 00000000000..66bed02b893 --- /dev/null +++ b/queue-4.4/s390-fix-br_r1_trampoline-for-machines-without-exrl.patch @@ -0,0 +1,35 @@ +From 26f843848bae973817b3587780ce6b7b0200d3e4 Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Mon, 6 Aug 2018 14:26:39 +0200 +Subject: s390: fix br_r1_trampoline for machines without exrl + +From: Martin Schwidefsky + +commit 26f843848bae973817b3587780ce6b7b0200d3e4 upstream. + +For machines without the exrl instruction the BFP jit generates +code that uses an "br %r1" instruction located in the lowcore page. +Unfortunately there is a cut & paste error that puts an additional +"larl %r1,.+14" instruction in the code that clobbers the branch +target address in %r1. Remove the larl instruction. + +Cc: # v4.17+ +Fixes: de5cb6eb51 ("s390: use expoline thunks in the BPF JIT") +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/net/bpf_jit_comp.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -522,8 +522,6 @@ static void bpf_jit_epilogue(struct bpf_ + /* br %r1 */ + _EMIT2(0x07f1); + } else { +- /* larl %r1,.+14 */ +- EMIT6_PCREL_RILB(0xc0000000, REG_1, jit->prg + 14); + /* ex 0,S390_lowcore.br_r1_tampoline */ + EMIT4_DISP(0x44000000, REG_0, REG_0, + offsetof(struct _lowcore, br_r1_trampoline)); diff --git a/queue-4.4/s390-pci-fix-out-of-bounds-access-during-irq-setup.patch b/queue-4.4/s390-pci-fix-out-of-bounds-access-during-irq-setup.patch new file mode 100644 index 00000000000..29d3945947c --- /dev/null +++ b/queue-4.4/s390-pci-fix-out-of-bounds-access-during-irq-setup.patch @@ -0,0 +1,36 @@ +From 866f3576a72b2233a76dffb80290f8086dc49e17 Mon Sep 17 00:00:00 2001 +From: Sebastian Ott +Date: Mon, 13 Aug 2018 11:26:46 +0200 +Subject: s390/pci: fix out of bounds access during irq setup + +From: Sebastian Ott + +commit 866f3576a72b2233a76dffb80290f8086dc49e17 upstream. + +During interrupt setup we allocate interrupt vectors, walk the list of msi +descriptors, and fill in the message data. Requesting more interrupts than +supported on s390 can lead to an out of bounds access. + +When we restrict the number of interrupts we should also stop walking the +msi list after all supported interrupts are handled. + +Cc: stable@vger.kernel.org +Signed-off-by: Sebastian Ott +Signed-off-by: Heiko Carstens +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/pci/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/s390/pci/pci.c ++++ b/arch/s390/pci/pci.c +@@ -412,6 +412,8 @@ int arch_setup_msi_irqs(struct pci_dev * + hwirq = 0; + for_each_pci_msi_entry(msi, pdev) { + rc = -EIO; ++ if (hwirq >= msi_vecs) ++ break; + irq = irq_alloc_desc(0); /* Alloc irq on node 0 */ + if (irq < 0) + goto out_msi; diff --git a/queue-4.4/s390-qdio-reset-old-sbal_state-flags.patch b/queue-4.4/s390-qdio-reset-old-sbal_state-flags.patch new file mode 100644 index 00000000000..b2522a939df --- /dev/null +++ b/queue-4.4/s390-qdio-reset-old-sbal_state-flags.patch @@ -0,0 +1,66 @@ +From 64e03ff72623b8c2ea89ca3cb660094e019ed4ae Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Wed, 16 May 2018 09:37:25 +0200 +Subject: s390/qdio: reset old sbal_state flags + +From: Julian Wiedmann + +commit 64e03ff72623b8c2ea89ca3cb660094e019ed4ae upstream. + +When allocating a new AOB fails, handle_outbound() is still capable of +transmitting the selected buffer (just without async completion). + +But if a previous transfer on this queue slot used async completion, its +sbal_state flags field is still set to QDIO_OUTBUF_STATE_FLAG_PENDING. +So when the upper layer driver sees this stale flag, it expects an async +completion that never happens. + +Fix this by unconditionally clearing the flags field. + +Fixes: 104ea556ee7f ("qdio: support asynchronous delivery of storage blocks") +Cc: #v3.2+ +Signed-off-by: Julian Wiedmann +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/qdio.h | 1 - + drivers/s390/cio/qdio_main.c | 5 ++--- + 2 files changed, 2 insertions(+), 4 deletions(-) + +--- a/arch/s390/include/asm/qdio.h ++++ b/arch/s390/include/asm/qdio.h +@@ -261,7 +261,6 @@ struct qdio_outbuf_state { + void *user; + }; + +-#define QDIO_OUTBUF_STATE_FLAG_NONE 0x00 + #define QDIO_OUTBUF_STATE_FLAG_PENDING 0x01 + + #define CHSC_AC1_INITIATE_INPUTQ 0x80 +--- a/drivers/s390/cio/qdio_main.c ++++ b/drivers/s390/cio/qdio_main.c +@@ -640,21 +640,20 @@ static inline unsigned long qdio_aob_for + unsigned long phys_aob = 0; + + if (!q->use_cq) +- goto out; ++ return 0; + + if (!q->aobs[bufnr]) { + struct qaob *aob = qdio_allocate_aob(); + q->aobs[bufnr] = aob; + } + if (q->aobs[bufnr]) { +- q->sbal_state[bufnr].flags = QDIO_OUTBUF_STATE_FLAG_NONE; + q->sbal_state[bufnr].aob = q->aobs[bufnr]; + q->aobs[bufnr]->user1 = (u64) q->sbal_state[bufnr].user; + phys_aob = virt_to_phys(q->aobs[bufnr]); + WARN_ON_ONCE(phys_aob & 0xFF); + } + +-out: ++ q->sbal_state[bufnr].flags = 0; + return phys_aob; + } + diff --git a/queue-4.4/scsi-core-avoid-that-scsi-device-removal-through-sysfs-triggers-a-deadlock.patch b/queue-4.4/scsi-core-avoid-that-scsi-device-removal-through-sysfs-triggers-a-deadlock.patch new file mode 100644 index 00000000000..e5b5f67e807 --- /dev/null +++ b/queue-4.4/scsi-core-avoid-that-scsi-device-removal-through-sysfs-triggers-a-deadlock.patch @@ -0,0 +1,164 @@ +From 0ee223b2e1f67cb2de9c0e3247c510d846e74d63 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 2 Aug 2018 10:51:41 -0700 +Subject: scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock + +From: Bart Van Assche + +commit 0ee223b2e1f67cb2de9c0e3247c510d846e74d63 upstream. + +A long time ago the unfortunate decision was taken to add a self-deletion +attribute to the sysfs SCSI device directory. That decision was unfortunate +because self-deletion is really tricky. We can't drop that attribute +because widely used user space software depends on it, namely the +rescan-scsi-bus.sh script. Hence this patch that avoids that writing into +that attribute triggers a deadlock. See also commit 7973cbd9fbd9 ("[PATCH] +add sysfs attributes to scan and delete scsi_devices"). + +This patch avoids that self-removal triggers the following deadlock: + +====================================================== +WARNING: possible circular locking dependency detected +4.18.0-rc2-dbg+ #5 Not tainted +------------------------------------------------------ +modprobe/6539 is trying to acquire lock: +000000008323c4cd (kn->count#202){++++}, at: kernfs_remove_by_name_ns+0x45/0x90 + +but task is already holding lock: +00000000a6ec2c69 (&shost->scan_mutex){+.+.}, at: scsi_remove_host+0x21/0x150 [scsi_mod] + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #1 (&shost->scan_mutex){+.+.}: + __mutex_lock+0xfe/0xc70 + mutex_lock_nested+0x1b/0x20 + scsi_remove_device+0x26/0x40 [scsi_mod] + sdev_store_delete+0x27/0x30 [scsi_mod] + dev_attr_store+0x3e/0x50 + sysfs_kf_write+0x87/0xa0 + kernfs_fop_write+0x190/0x230 + __vfs_write+0xd2/0x3b0 + vfs_write+0x101/0x270 + ksys_write+0xab/0x120 + __x64_sys_write+0x43/0x50 + do_syscall_64+0x77/0x230 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +-> #0 (kn->count#202){++++}: + lock_acquire+0xd2/0x260 + __kernfs_remove+0x424/0x4a0 + kernfs_remove_by_name_ns+0x45/0x90 + remove_files.isra.1+0x3a/0x90 + sysfs_remove_group+0x5c/0xc0 + sysfs_remove_groups+0x39/0x60 + device_remove_attrs+0x82/0xb0 + device_del+0x251/0x580 + __scsi_remove_device+0x19f/0x1d0 [scsi_mod] + scsi_forget_host+0x37/0xb0 [scsi_mod] + scsi_remove_host+0x9b/0x150 [scsi_mod] + sdebug_driver_remove+0x4b/0x150 [scsi_debug] + device_release_driver_internal+0x241/0x360 + device_release_driver+0x12/0x20 + bus_remove_device+0x1bc/0x290 + device_del+0x259/0x580 + device_unregister+0x1a/0x70 + sdebug_remove_adapter+0x8b/0xf0 [scsi_debug] + scsi_debug_exit+0x76/0xe8 [scsi_debug] + __x64_sys_delete_module+0x1c1/0x280 + do_syscall_64+0x77/0x230 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&shost->scan_mutex); + lock(kn->count#202); + lock(&shost->scan_mutex); + lock(kn->count#202); + + *** DEADLOCK *** + +2 locks held by modprobe/6539: + #0: 00000000efaf9298 (&dev->mutex){....}, at: device_release_driver_internal+0x68/0x360 + #1: 00000000a6ec2c69 (&shost->scan_mutex){+.+.}, at: scsi_remove_host+0x21/0x150 [scsi_mod] + +stack backtrace: +CPU: 10 PID: 6539 Comm: modprobe Not tainted 4.18.0-rc2-dbg+ #5 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 +Call Trace: + dump_stack+0xa4/0xf5 + print_circular_bug.isra.34+0x213/0x221 + __lock_acquire+0x1a7e/0x1b50 + lock_acquire+0xd2/0x260 + __kernfs_remove+0x424/0x4a0 + kernfs_remove_by_name_ns+0x45/0x90 + remove_files.isra.1+0x3a/0x90 + sysfs_remove_group+0x5c/0xc0 + sysfs_remove_groups+0x39/0x60 + device_remove_attrs+0x82/0xb0 + device_del+0x251/0x580 + __scsi_remove_device+0x19f/0x1d0 [scsi_mod] + scsi_forget_host+0x37/0xb0 [scsi_mod] + scsi_remove_host+0x9b/0x150 [scsi_mod] + sdebug_driver_remove+0x4b/0x150 [scsi_debug] + device_release_driver_internal+0x241/0x360 + device_release_driver+0x12/0x20 + bus_remove_device+0x1bc/0x290 + device_del+0x259/0x580 + device_unregister+0x1a/0x70 + sdebug_remove_adapter+0x8b/0xf0 [scsi_debug] + scsi_debug_exit+0x76/0xe8 [scsi_debug] + __x64_sys_delete_module+0x1c1/0x280 + do_syscall_64+0x77/0x230 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +See also https://www.mail-archive.com/linux-scsi@vger.kernel.org/msg54525.html. + +Fixes: ac0ece9174ac ("scsi: use device_remove_file_self() instead of device_schedule_callback()") +Signed-off-by: Bart Van Assche +Cc: Greg Kroah-Hartman +Acked-by: Tejun Heo +Cc: Johannes Thumshirn +Cc: +Signed-off-by: Greg Kroah-Hartman + +Signed-off-by: Martin K. Petersen + +--- + drivers/scsi/scsi_sysfs.c | 20 ++++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -678,8 +678,24 @@ static ssize_t + sdev_store_delete(struct device *dev, struct device_attribute *attr, + const char *buf, size_t count) + { +- if (device_remove_file_self(dev, attr)) +- scsi_remove_device(to_scsi_device(dev)); ++ struct kernfs_node *kn; ++ ++ kn = sysfs_break_active_protection(&dev->kobj, &attr->attr); ++ WARN_ON_ONCE(!kn); ++ /* ++ * Concurrent writes into the "delete" sysfs attribute may trigger ++ * concurrent calls to device_remove_file() and scsi_remove_device(). ++ * device_remove_file() handles concurrent removal calls by ++ * serializing these and by ignoring the second and later removal ++ * attempts. Concurrent calls of scsi_remove_device() are ++ * serialized. The second and later calls of scsi_remove_device() are ++ * ignored because the first call of that function changes the device ++ * state into SDEV_DEL. ++ */ ++ device_remove_file(dev, attr); ++ scsi_remove_device(to_scsi_device(dev)); ++ if (kn) ++ sysfs_unbreak_active_protection(kn); + return count; + }; + static DEVICE_ATTR(delete, S_IWUSR, NULL, sdev_store_delete); diff --git a/queue-4.4/scsi-sysfs-introduce-sysfs_-un-break_active_protection.patch b/queue-4.4/scsi-sysfs-introduce-sysfs_-un-break_active_protection.patch new file mode 100644 index 00000000000..c00e8552d01 --- /dev/null +++ b/queue-4.4/scsi-sysfs-introduce-sysfs_-un-break_active_protection.patch @@ -0,0 +1,107 @@ +From 2afc9166f79b8f6da5f347f48515215ceee4ae37 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 2 Aug 2018 10:51:40 -0700 +Subject: scsi: sysfs: Introduce sysfs_{un,}break_active_protection() + +From: Bart Van Assche + +commit 2afc9166f79b8f6da5f347f48515215ceee4ae37 upstream. + +Introduce these two functions and export them such that the next patch +can add calls to these functions from the SCSI core. + +Signed-off-by: Bart Van Assche +Acked-by: Tejun Heo +Acked-by: Greg Kroah-Hartman +Cc: +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + fs/sysfs/file.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ + include/linux/sysfs.h | 14 ++++++++++++++ + 2 files changed, 58 insertions(+) + +--- a/fs/sysfs/file.c ++++ b/fs/sysfs/file.c +@@ -408,6 +408,50 @@ int sysfs_chmod_file(struct kobject *kob + EXPORT_SYMBOL_GPL(sysfs_chmod_file); + + /** ++ * sysfs_break_active_protection - break "active" protection ++ * @kobj: The kernel object @attr is associated with. ++ * @attr: The attribute to break the "active" protection for. ++ * ++ * With sysfs, just like kernfs, deletion of an attribute is postponed until ++ * all active .show() and .store() callbacks have finished unless this function ++ * is called. Hence this function is useful in methods that implement self ++ * deletion. ++ */ ++struct kernfs_node *sysfs_break_active_protection(struct kobject *kobj, ++ const struct attribute *attr) ++{ ++ struct kernfs_node *kn; ++ ++ kobject_get(kobj); ++ kn = kernfs_find_and_get(kobj->sd, attr->name); ++ if (kn) ++ kernfs_break_active_protection(kn); ++ return kn; ++} ++EXPORT_SYMBOL_GPL(sysfs_break_active_protection); ++ ++/** ++ * sysfs_unbreak_active_protection - restore "active" protection ++ * @kn: Pointer returned by sysfs_break_active_protection(). ++ * ++ * Undo the effects of sysfs_break_active_protection(). Since this function ++ * calls kernfs_put() on the kernfs node that corresponds to the 'attr' ++ * argument passed to sysfs_break_active_protection() that attribute may have ++ * been removed between the sysfs_break_active_protection() and ++ * sysfs_unbreak_active_protection() calls, it is not safe to access @kn after ++ * this function has returned. ++ */ ++void sysfs_unbreak_active_protection(struct kernfs_node *kn) ++{ ++ struct kobject *kobj = kn->parent->priv; ++ ++ kernfs_unbreak_active_protection(kn); ++ kernfs_put(kn); ++ kobject_put(kobj); ++} ++EXPORT_SYMBOL_GPL(sysfs_unbreak_active_protection); ++ ++/** + * sysfs_remove_file_ns - remove an object attribute with a custom ns tag + * @kobj: object we're acting for + * @attr: attribute descriptor +--- a/include/linux/sysfs.h ++++ b/include/linux/sysfs.h +@@ -238,6 +238,9 @@ int __must_check sysfs_create_files(stru + const struct attribute **attr); + int __must_check sysfs_chmod_file(struct kobject *kobj, + const struct attribute *attr, umode_t mode); ++struct kernfs_node *sysfs_break_active_protection(struct kobject *kobj, ++ const struct attribute *attr); ++void sysfs_unbreak_active_protection(struct kernfs_node *kn); + void sysfs_remove_file_ns(struct kobject *kobj, const struct attribute *attr, + const void *ns); + bool sysfs_remove_file_self(struct kobject *kobj, const struct attribute *attr); +@@ -351,6 +354,17 @@ static inline int sysfs_chmod_file(struc + return 0; + } + ++static inline struct kernfs_node * ++sysfs_break_active_protection(struct kobject *kobj, ++ const struct attribute *attr) ++{ ++ return NULL; ++} ++ ++static inline void sysfs_unbreak_active_protection(struct kernfs_node *kn) ++{ ++} ++ + static inline void sysfs_remove_file_ns(struct kobject *kobj, + const struct attribute *attr, + const void *ns) diff --git a/queue-4.4/series b/queue-4.4/series index a79f4787fa6..f5395ff05e5 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -68,3 +68,13 @@ asoc-sirf-fix-potential-null-pointer-dereference.patch pinctrl-freescale-off-by-one-in-imx1_pinconf_group_dbg_show.patch x86-irqflags-mark-native_restore_fl-extern-inline.patch x86-spectre-add-missing-family-6-check-to-microcode-check.patch +s390-fix-br_r1_trampoline-for-machines-without-exrl.patch +s390-qdio-reset-old-sbal_state-flags.patch +s390-pci-fix-out-of-bounds-access-during-irq-setup.patch +kprobes-make-list-and-blacklist-root-user-read-only.patch +mips-correct-the-64-bit-dsp-accumulator-register-size.patch +mips-lib-provide-mips64r6-__multi3-for-gcc-7.patch +scsi-sysfs-introduce-sysfs_-un-break_active_protection.patch +scsi-core-avoid-that-scsi-device-removal-through-sysfs-triggers-a-deadlock.patch +iscsi-target-fix-session-creation-failure-handling.patch +cdrom-fix-info-leak-oob-read-in-cdrom_ioctl_drive_status.patch